How It Works

The system communicates with a message system to determine a user’s established patterns—their typical sending behavior, environment, location, and schedule. It uses an analysis server (or multiple analysis servers for distributed deployments) to build a profile of what’s normal for each user across temporal patterns, volume, and velocity.

When an electronic message is sent that contradicts the established user information—sent at an unusual time, from an unexpected location, or at an abnormal volume—the system detects the anomaly and takes action. Available responses include deletion, quarantine, notification, warning, re-routing, or any combination of these.

The system also integrates with disparate external systems (calendars, location services, access logs) to add context. For example, if a user’s calendar shows them in one city but their email originates from another, that conflict is detected and flagged.

What Makes It Different

• Multi-dimensional analysis: examines temporal patterns (when), volume (how many), and velocity (rate of change) simultaneously to build a complete behavioral picture.
• Contrary-to-pattern detection: specifically identifies messages sent contrary to established user behavior, not just high-volume anomalies.
• Disparate system integration: correlates email behavior with external data sources like calendars, location information, and user schedules.
• Graduated response options: deletion, quarantine, notification, warning, and re-routing can be applied individually or in combination based on severity.

Why It Matters

Compromised accounts don’t always do obviously malicious things. Sometimes the signs are subtle—an email sent from the wrong location, at an unusual hour, or to an atypical set of recipients. This technology catches those subtle signals by understanding what normal looks like for each user, then detecting when a message contradicts that established pattern.

It’s the behavioral intelligence layer that makes Shield smarter over time.